Professional Documents
Culture Documents
V 75 Fire Boxx Edge User Guide
V 75 Fire Boxx Edge User Guide
Firebox X Edge
User Guide
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Copyright 1998 - 2005 WatchGuard Technologies, Inc. All rights reserved.
ii
User Guide
iii
iv
User Guide
3DES
BOVPN
DES
DNS
DHCP
DSL
IP
Internet Protocol
IPSec
ISDN
ISP
MAC
MUVPN
NAT
PPP
Point-to-Point Protocol
PPPoE
TCP
UDP
URL
VPN
WAN
WSEP
ADDRESS:
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
ABOUT WATCHGUARD
WatchGuard network security solutions provide small- to
mid-sized enterprises worldwide with effective, affordable security. Our Firebox line of extendable, integrated
security appliances is designed to be fully upgradeable
as an organization grows, and to deliver the industry's
SUPPORT:
best combination of security, performance, intuitive
www.watchguard.com/support
interface, and value. WatchGuard Intelligent Layered
Security architecture protects against emerging threats
support@watchguard.com
effectively and efficiently, and provides the flexibility to
U.S. and Canada +877.232.3531
integrate additional security functionality and services
All Other Countries +1.206.613.0456 offered through WatchGuard. Every WatchGuard product
comes with an initial LiveSecurity Service subscription
to help customers stay on top of security with vulnerabilSALES:
U.S. and Canada +1.800.734.9905 ity alerts, software updates, expert security instruction,
and superior customer care.
All Other Countries +1.206.521.8340
FOR MORE INFORMATION: Please visit us at
www.watchguard.com or contact your reseller for more
information.
vi
Contents
vii
viii
User Guide
ix
xi
xii
User Guide
xiii
xiv
CHAPTER 1
Introduction to
Network Security
Network Security
While the Internet gives you access to a large quantity of information
and business opportunity, it also opens your network to attackers. A
good network security policy helps you find and prevent attacks to
your computer or network.
Many people think that their computer holds no important information. They do not think that their computer is a target for a hacker.
This is not correct. A hacker can use your computer as a platform to
attack other computers or networks or use your account information
to send e-mail spam or attacks. Your account information is also vulnerable and valuable to hackers.
User Guide
About Networks
A network is a group of computers and other devices that are connected to each other. It can be two computers that you connect
with a serial cable, or many computers around the world connected
through the Internet. Computers on the same network can do work
together and share data.
A LAN (Local Area Network) is a connected group of computers that
use the same method of communication to share data.
A WAN (Wide Area Network) is a connected group of computers that
can be far apart in different locations.
Protocols
Protocols
A protocol is a group of rules that allow computers to connect
across a network. Protocols are the grammar that computers use
to speak to each other.
The standard protocol when you connect to the Internet is the IP
(Internet Protocol). This protocol is the usual language of computers
on the Internet.
A protocol also tells how data is sent through a network. The most
frequently used protocols are TCP (Transmission Control Protocol)
and UDP (User Datagram Protocol). Other protocols are less frequently used.
TCP/IP is the basic protocol used by computers that connect to the
Internet. You must know some settings of TCP/IP when you set up
your Firebox X Edge. For more information on TCP/IP, see Finding
your TCP/IP properties on page 15.
User Guide
Data packet
The TCP and IP protocols are used to send and receive these packets.
TCP disassembles the data and assembles it again. IP adds information to the packets, such as the sender, the recipient, and any special
instructions.
IP Addresses
IP Addresses
To send mail to a person, you must first know their physical address.
For a computer to send data to a different computer, it must first
know the address of that computer. A computer address is known as
an IP address. Only one device can use an IP address at a time.
An IP address is a group of four numbers divided by decimal points.
Some examples of IP addresses are:
192.168.0.11
10.1.20.18
208.15.15.15
Network addressing
ISPs (Internet service providers) assign an IP address to each device
on their network. The IP address can be static or dynamic. Each ISP
has a small number of IP addresses.
Static IP addresses are permanently assigned to a device. These
addresses do not change automatically, and are frequently used for
servers.
Dynamic IP addresses change with time. If a dynamic address is not
in use, it can be automatically assigned to a different device.
Your ISP can tell you how their system assigns IP addresses.
About DHCP
Many ISPs assign dynamic IP addresses through DHCP (Dynamic
Host Configuration Protocol). When a computer connects to the
network, a DHCP server at the ISP assigns that computer an IP
address. It is not necessary to assign IP addresses manually when
you use DHCP.
About PPPoE
Some ISPs assign their IP addresses through Point-to-Point Protocol
over Ethernet (PPPoE). PPPoE expands a standard dial-up connection to add some of the features of Ethernet and PPP. This system
allows the ISP to use the billing, authentication, and security systems of their dial-up infrastructure with DSL modem and cable
modem products.
User Guide
Services
A service opens access from your network to a computer that is
external to your network. You use services to send e-mail or move
files from one computer to a different computer through the network. These services use protocols. Frequently used Internet services
are:
World Wide Web access uses Hypertext Transfer Protocol (HTTP)
E-mail uses Simple Mail Transfer Protocol (SMTP)
File transfer uses File Transfer Protocol (FTP)
Changing a domain name to an Internet address uses Domain
Name Service (DNS)
Remote terminal access uses Telnet or SSH (Secure Shell)
Some services are necessary, but each service you add to your security policy can also add a security risk. To send and receive data, you
must open a door in your computer, which puts your network at
risk. Attackers can use open access of a service to try to get into a
network. We recommend that you only add services that are necessary for your business.
Ports
Usually, a port is a connection point where you use a socket and a
plug to connect two devices. Computers also have ports that are not
physical locations. These ports are where programs transmit data.
Ports
User Guide
Firewalls
A firewall divides your internal network from the Internet to
decrease risk from an external attack. We refer to the computers and
networks on the Internet as the external network. The computers on
the internal side of the firewall are protected. We refer to these as
trusted computers. The figure below shows how a firewall divides
the trusted computers from the Internet.
Firewalls use access policies to identify different types of information. They can also control which services or ports the protected
computers can use on the Internet (outbound access). Many firewalls have sample security policies and users can select the policy
that is best for them. With otherssuch as the Firebox X Edgethe
user can customize these policies.
User Guide
10
CHAPTER 2
Installing the
Firebox X Edge
Package Contents
Make sure that the package for your Firebox X Edge includes these
items:
The Firebox X Edge QuickStart Guide
A LiveSecurity Service activation card
A Hardware Warranty Card
An AC power adapter (12 V)
User Guide
11
Installation Requirements
The Firebox X Edge installation requirements are:
A computer with a 10/100BaseT Ethernet network interface
card to configure the Firebox.
A Web browser. You can use Netscape 7.0 (or later), Internet
Explorer 6.0 (or later), or an equivalent browser.
The serial number of the Firebox X Edge.
You can find the serial number on the bottom of the Firebox. You use
the serial number to register the Edge.
12
An Internet connection.
The external network connection can be a cable or DSL modem with a
10/100BaseT port, an ISDN router, or a direct LAN connection. If you
have problems with your Internet connection, call your ISP (Internet
Service Provider) to correct the problem before you install the Firebox X
Edge.
User Guide
13
get a static IP address from your ISP. A static IP address can cost
more money than a dynamic IP address.
DHCP: A dynamic IP address is an IP address that an ISP lets
you use temporarily. ISPs use DHCP (Dynamic Host
Configuration Protocol) to assign you a dynamic IP address.
With DHCP, your computer does not always use the same IP
address. Each time you connect to the ISP, a DHCP server
assigns you an IP address. It could be the same IP address you
had before, or it could be a new IP address. When you close an
Internet connection that uses a dynamic IP address, the ISP can
assign that IP address to a different customer.
PPPoE: An ISP can also use PPPoE (Point-to-Point Protocol over
Ethernet) to assign you an IP address. Usually, a PPPoE address
is dynamic. You must have a user name and a password to use
PPPoE.
The ISP also assigns a subnet mask (also known as the netmask) to a
computer. A subnet mask divides a larger network into smaller networks. A subnet mask is a string of bits that mask one section of
an IP address to show how many IP addresses can be on the smaller
network.
Read your DSL or cable modem instructions or speak to your ISP to
learn if you have a dynamic IP address or a static IP address.
NOTE
NOTE
If your ISP assigns your computer an IP address that starts with
10, 192.168, or 172.16 to 172.31, then your ISP uses NAT (Network
Address Translation) and your IP address is private. We recommend
that you get a public IP address for your Edge external IP address.
If you use a private IP address, you can have problems with some
features, including VPN.
14
Value
IP Address
.
Subnet Mask
Default Gateway
DHCP Enabled
DNS Server(s)
Yes
No
Primary
.
Secondary
User Guide
15
To find your TCP/IP properties, use the instructions for your computer operating system.
16
Macintosh OS X
1 Click the Apple menu > System Preferences.
The System Preferences window appears.
From the Show drop-down list, select the network adapter you
use to connect to the Internet.
4
5
Value
Login Name
Domain
Password
User Guide
17
You can use these instructions to disable the HTTP proxy in Firefox,
Mozilla, Netscape, or Internet Explorer. If you are using a different
browser, use the browser Help system to find the necessary information. Many browsers automatically disable the HTTP proxy feature.
5 Click OK.
Disable the HTTP proxy in Internet Explorer
1 Open Internet Explorer.
2 Click Tools > Internet Options.
The Internet Options window appears.
3
4
5
6
18
Clear the check box labeled Use a proxy server for your LAN.
Click OK twice.
1
2
Find the Ethernet cable supplied with your Edge. Connect this
cable to a trusted interface (0-6) on the Edge. Connect the
other end of this cable to the Ethernet interface of your
computer.
User Guide
19
NOTE
NOTE
Only use the AC adapter for the Firebox X Edge.
20
1
2
User Guide
21
2
3
22
2
3
6
7
8
9
23
24
User Guide
25
If you are registered at the WatchGuard web site, type your user
name and password. If you are not registered, you must create a
user profile. To do this, follow the instructions on the web site.
26
http://www.watchguard.com/upgrade
User Guide
27
28
CHAPTER 3
When you configure a WatchGuard Firebox X Edge, you create firewall rules to apply the security rules of your company. Before you create these rules, you must install your Firebox. To create a basic
configuration, use your web browser to connect to the web pages on
the Firebox X Edge.
You can also use the Edge configuration pages to create an account,
look at network statistics, and see the current configuration of the
Edge.
Read this chapter to find basic information about the Firebox X Edge
configuration pages. There are sections in subsequent chapters that
have more advanced procedures. This chapter contains links to subsequent sections.
NOTE
You can see the configuration pages only if you used the Quick
Setup Wizard, as shown in Chapter 2, Installing the Firebox X Edge.
Also, to configure the Firebox X Edge, your network administrator
must configure your user account to see and change the
configuration pages. See Chapter 9 Managing Users and Groups for
more information on user accounts.
User Guide
29
1
2
30
NOTE
If necessary, you can connect to the web server on the Firebox X
Edge in HTTP mode instead of HTTPS mode. HTTP mode is less
secure, because any configuration changes you make are sent to
the Firebox in unencrypted text.
To see the primary page for each feature, click the menu item on the
navigation bar. For example, to see how logging is configured for
your Firebox and to see the current event log, click Logging.
Each menu item contains submenus that you use to configure the
properties of that feature. To see these submenus, click the plus sign
(+) to the left of the menu item. For example, if you click the plus
sign adjacent to WebBlocker, these submenu items appear: Settings, Profiles, Allowed Sites, Denied Sites, and Trusted Hosts.
This user guide uses an arrow (>) symbol to show menu items that
you expand or click. The menu names are in bold. For example, the
command to open the Denied Sites page appears in the text as
WebBlocker > Denied Sites.
User Guide
31
Configuration Overview
You use the Firebox X Edge system configuration pages to set up
your Edge and protect your network. This section gives an introduction to each category of pages and tells you which chapters in this
User Guide contain detailed information about each feature.
32
Configuration Overview
Network Page
The Network page shows the configuration of each network interface. It also shows any configured routes and has buttons you can
use to change configurations and to see network statistics. For more
information, see Chapter 5, Changing Your Network Settings.
User Guide
33
Administration Page
The Administration page shows if the Firebox uses HTTP or HTTPS
for its configuration pages, if the Edge is configured as a managed
Firebox client, and which upgrades are enabled. It has buttons to
change configurations, add upgrades, and see the configuration file.
34
Configuration Overview
Firewall Page
The Firewall page shows incoming and outgoing services, blocked
sites, and other firewall settings. This page also has buttons to
change these settings. For more information, see Chapter 7, Configuring Firewall Settings.
User Guide
35
36
Configuration Overview
Logging Page
The Logging page shows the current event log, the status of the Log
Server and syslog logging, and the system time. It also has buttons
to change these properties and to set your system time to the same
value as your local computer. For more information, see Chapter 8,
Configuring Logging and System Time.
User Guide
37
WebBlocker Page
The WebBlocker page shows the WebBlocker settings, profiles,
allowed sites, denied sites, and trusted hosts. It also has buttons to
change the current settings. For more information, see Chapter 10,
Configuring WebBlocker.
VPN Page
The VPN page shows information on managed VPN tunnels, manual
VPN gateways, echo hosts, and buttons to change the configuration
of VPN tunnels. It also has a button for you to see statistics on
38
Configuration Overview
Wizards Page
The Wizards page shows the wizards you can use to help you set up
Firebox X Edge features. Each wizard launches a new window to
help you configure the Edge settings.
User Guide
39
40
CHAPTER 4
Configuration and
Management Basics
41
Use these steps to set the Firebox to the factory default settings:
1
2
3
Continue to hold down the button until the yellow Attn light
comes on and stays on. This shows you that the Edge has been
successfully reset.
NOTE
Do not try to connect to the Edge at this time. Start the Edge one
more time, as the subsequent steps show. If you do not start the
Edge one more time, when you try to connect to the Edge you will
see a web page with Your WatchGuard Firebox X Edge is running
from a backup copy of firmware. You could also see this message
if the reset button is stuck in the depressed position. Check the
reset button, restart the Edge and try again.
5
6
Local restart
You can locally restart the Firebox X Edge with two methods: use
the web browser or disconnect the power supply.
User Guide
43
Click Reboot.
Remote reboot
You must configure the remote Firebox X Edge to allow incoming
HTTPS traffic to the Edge trusted interface IP address if the computer is not on the trusted interface. For more information on how
to configure the Firebox to receive incoming traffic, see Configuring Incoming Services on page 105. After HTTPS traffic is allowed,
you can remotely manage your Firebox X Edge using your browser.
To do a remote reboot:
Click Reboot.
44
If your browser does not support HTTPS, or to make the Edge HTML
configuration pages load faster, you can use HTTP. Using HTTP is
less secure. When you use HTTP, all configuration changes are sent
to the Edge from your computer in unencrypted text. We recommend that you use HTTPS to configure your Firebox X Edge.
Follow these instructions to use HTTP instead of HTTPS:
Click Submit.
If you select this check box, you must type http:// in the
browser's address bar to bring up configuration pages instead of the
default https://.
User Guide
45
To change the port over which you communicate with the Firebox X
Edge, type a new value in the HTTP Server Port field in the System
Security configuration page shown above.
For more information on using HTTP or HTTPS with the Edge and
changing the HTTP Server Port, see this FAQ:
https://www.watchguard.com/support/advancedfaqs/
edge_httpserverport.asp
46
3
4
5
Type a status passphrase for your Firebox X Edge and then type
it again to confirm in the correct fields.
User Guide
47
NOTE
These passphrases must match the passphrases you use when you
add the device to WatchGuard System Manager or the connection
will fail.
11 Click Submit.
48
3
4
Type a status passphrase for your Firebox X Edge and then type
it again to confirm in the correct fields.
NOTE
These passphrases must match the passphrases you use when you
add the device to WatchGuard System Manager or the connection
will fail.
User Guide
49
11 Click Submit.
50
3
4
If you use VPN Manager 7.2 or below, click the VPN Manager
7.2 or below check box.
Click the Enable VPN Manager Access check box to allow VPN
Manager to connect to the Firebox X Edge. Type and confirm
the status and configuration passphrase for the Firebox X Edge.
NOTE
These passphrases must match the passphrases you use when you
add the device to VPN Manager or the connection will fail.
User Guide
51
In the DVCP Server Address text box, type the IP address of the
DVCP server.
11 Click Submit.
52
NOTE
Because the Installer uses FTP to transfer files, make sure your
Firebox X Edge is not configured to deny FTP access, as described
in Denying FTP access to the Firebox X Edge on page 121.
Extract the wgrd file from the Zip file you downloaded with
an archiving utility such as WinZip (for Windows computers),
StuffIt (for Macintosh), or the zip program (for Linux).
Type the name of the file that contains the new Firebox X Edge
software in the Select file box. Or click Browse to find the file
on the network.
User Guide
53
that appears on the Update page. After the Firebox restarts, the System
Status page appears and shows the new version number.
3
4
5
6
Copy the feature key from the LiveSecurity Service Web site.
Use the instructions on the Web site to activate your license key
and to get the feature key.
To connect to the System Status page, type https:// in the
browser address bar, and the IP address of the Edge trusted
interface.
The default URL is: https://192.168.111.1
54
8
9
User Guide
55
Upgrade options
User licenses
A seat license upgrade allows more connections between the
trusted network and the external network. For example, a 5-seat
user license upgrade allows five more connections to the external
network than the base model with no licenses applied.
MUVPN Clients
The MUVPN Clients upgrade allows remote users to connect to
the Firebox X Edge through a secure (IPSec) VPN tunnel. These
users have access to trusted network resources.
WebBlocker
The WebBlocker upgrade enables you to control access to Web
content. For more information on WebBlocker, see Chapter 10,
Configuring WebBlocker.
WAN Failover
The WAN failover feature adds redundant support for the
external interface. For more information, see Enabling the WAN
Failover Option on page 83.
56
User Guide
57
58
CHAPTER 5
Changing Your
Network Settings
2
3
User Guide
59
To configure your Firebox X Edge, you must know how it gets the
IP address for the external interface. If you do not know the
method, get the information from your ISP or corporate network
administrator.
Click Submit.
User Guide
61
62
Click Submit.
User Guide
63
Type your name and password in the related fields. Get this
information from your ISP. If your ISP gives you a domain
name, type it into the Domain field.
Most ISPs using PPPoE make you use the domain name and your user
name. Do not include the domain name with your user name like this:
myname@ispdomain.net. If you have a PPPoE name with this format,
type the myname section in the Name field. Type the ispdomain section
in the Domain field. Do not type the @ symbol. Some ISPs do not use
the domain.
64
User Guide
65
66
You can use static IP addresses or DHCP for the computers on your
trusted network. The Firebox X Edge has a built-in DHCP server to
give IP addresses to computers on your trusted and optional networks. You can also change the IP address of the trusted network.
The factory-default settings of a Firebox DHCP server automatically
give IP addresses to computers on the trusted network. The trusted
network starts with IP address 192.168.111.1. It is a class C network with a subnet mask of 255.255.255.0. The Firebox can give an
IP address from 192.168.111.2 to 192.168.111.254. The factorydefault settings use the same DNS server information on the internal
and external interfaces.
If necessary, you can disable the Firebox DHCP server. Or, you can
use the Firebox as a DHCP Relay Agent and send DHCP requests to a
DHCP server on a different network using a VPN tunnel. You can
also use static IP addresses for the computers on your trusted network.
Any changes to the trusted network configuration page require that
you click Submit and then restart the Firebox before the new configuration starts. You can make many changes at one time and then
restart just one time when you are done.
NOTE
NOTE
If you change the IP address of the Edges trusted interface, you
must use the new IP address in your browser address bar to
connect to the Edges Web management interface.
For example, you change the Edge trusted interface IP address
from the default 192.168.111.1 to 10.0.0.1, then you click Submit.
Then, you must use https://10.0.0.1 in your browser address bar to
connect to the Edges System Status page. Also, your computers
User Guide
67
68
Type the first and last available IP addresses for the trusted
network. Do not include the IP address of the Firebox X Edge.
The IP addresses must be on the same network as the trusted IP address.
For example, if your trusted IP address is 192.168.200.1, the IP addresses
can be from 192.168.200.2 to 192.168.200.254.
Click Submit.
User Guide
69
Click Submit.
2
3
4
NOTE
NOTE
Computers on the trusted network must use the Fireboxs trusted
interface IP address as the default gateway. If a computer does
not use the Firebox as the default gateway, it usually cannot get
to the external network or the Internet.
User Guide
71
1
2
72
User Guide
73
Type the first address of the new network address range in the
IP Address text field.
4
5
74
Type the first available IP address for the optional network. Type
the last available IP address.
The IP addresses must be on the same network as the optional IP address.
For example, if your optional IP address is 192.168.112.1, the IP
addresses can be from 192.168.112.2 to 192.168.112.254.
Click Submit.
User Guide
75
Click Submit.
76
2
3
4
NOTE
NOTE
Computers on the optional network must use the Fireboxs
optional interface IP address as the default gateway. If a computer
does not use the Firebox for the default gateway, it usually cannot
get to the external network or the Internet.
User Guide
77
1
2
78
Click Add.
The Add Route page appears.
NOTE
NOTE
A host is one computer. A network is more than one computer
using a range of IP addresses.
You must type network addresses in slash notation (also known
as CIDR, or Classless Inter Domain Routing, notation). Do not type
a slash for a host IP address. For more information on how to
enter IP addresses in slash notation, refer to this FAQ:
http://watchguard.com/support/advancedfaqs/general_slash.asp
Click Submit.
User Guide
79
80
NOTE
NOTE
WatchGuard is not affiliated with DynDNS.org.
User Guide
81
3
4
5
Click Submit.
NOTE
NOTE
The Firebox gets the IP address of members.dyndns.org when it
starts up. The Firebox connects to the IP address it finds for
members.dyndns.org to register the current Firebox external
interface IP address with the DynDNS service.
The Firebox does not operate with other Dynamic DNS services,
only DynDNS.org.
82
User Guide
83
84
From the drop-down list, select the interface for the feature:
Ethernet (WAN2) or Modem (serial port).
1
2
3
User Guide
85
Click Submit.
Click Submit.
86
Type the telephone number of your ISP and your account name
in the relevant fields. If you have an alternate telephone
number, you can enter that below the telephone number.
5
6
User Guide
Select the Enable modem and PPP debug trace check box to
create a log of the problem. Do not enable this check box unless
you have problems with your connection.
87
In the Primary DNS Server text box, type the IP address of the
primary DNS server. If you have a secondary DNS server, type
type its IP address in the Secondary DNS server field.
Dial-up settings
88
4
5
CHAPTER 6
Firebox X Edge
Wireless Setup
89
To
90
The Wireless Configuration page appears, with the Settings tab active.
NOTE
NOTE
When you complete the wireless configuration, restart your
Firebox X Edge Wireless.
User Guide
91
Bridge to Trusted
In this mode, the wireless client is a part of the trusted network.
If the wireless client sets the IP address of its wireless network
card with a static IP address, the IP address must be in the
trusted IP address range of the Edge. If the wireless network card
is set to DHCP, the DHCP server on the Edges trusted network
must be active and configured. If this option is selected, the
wireless client can send any type of traffic to the other
computers on the trusted network. This includes Windows
Networking NetBIOS broadcasts, which are useful for users who
browse with Windows Network Neighborhood.
Bridge to Optional
In this mode, the wireless client is a component of the optional
network. You must use the Bridge to Optional mode if you
enable guest services on the Firebox X Edge Wireless.
If you use this option, you must first activate the optional
network. The optional network is not enabled by default. If the
wireless client has its wireless network card set with a static IP
address, the IP address must be in the optional IP address range
of the Edge. If the wireless network card is set to DHCP, the
DHCP server on the Edges optional network must be active and
configured. If this option is selected, the wireless client can send
any type of traffic to the other computers on the optional
network. This includes Windows Networking NetBIOS broadcasts.
Because the wireless client is a part of the optional network or
trusted network, it is important to think about the networking
requirements of wireless clients. The firewall properties control the
traffic between these two networks
NOTE
NOTE
Because they are optional or trusted network clients, a wireless
client can be a part of any Branch Office VPN tunnels in which the
local network component of the Phase 2 settings include optional
or trusted network IP addresses. To control access to the VPN, you
can force Firebox users to authenticate.
wireless network card in your computer must have the same SSID as
the Firebox X Edge Wireless.
To change the SSID of the Firebox X Edge Wireless, type a new
name in the SSID field to uniquely identify your wireless network.
User Guide
93
802.11g only
This is the default mode. This allows you to deny access to
802.11b clients so that you can keep the Edge operating in the
faster 802.11g mode.
802.11g and 802.11b
This mode allows the Firebox X Edge Wireless to connect with
devices that use 802.11b or 802.11g.
802.11b only
This mode allows the Firebox X Edge Wireless to connect to
devices using only 802.11b.
NOTE
NOTE
The Firebox X Edge only operates in 802.11g mode if all the
wireless cards connected to the Edge are using 802.11g. If
any 802.11b clients connect to the Edge, all connections
automatically drop to 802.11b mode.
94
sions on the wireless LAN between the computers and the access
points. WPA and WEP can also prevent unauthorized access to the
wireless access point.
WEP and WPA each use pre-shared keys, but WPA can use an algorithm to change the encryption key at regular intervals. This keeps
the data sent on a wireless connection more secure. If you use the
Windows XP operating system with Service Pack 2 or higher, you can
use WPA-PSK (WPA with pre-shared keys) with no additional driver
installation. If you use an earlier version of Windows or a different
operating system, it can be necessary to install other drivers to use
WPA-PSK. If you cannot use WPA-PSK, WatchGuard recommends
that you use Shared Key authentication with WEP encryption or
MUVPN without WPA or WEP.
To protect privacy, you can use these features together with other
LAN security mechanisms such as password protection, VPN tunnels,
and user authentication.
User Guide
95
Configuring encryption
From the Encryption drop-down list, select the level of encryption
for your wireless connections. The options change when you use different authentication mechanisms.
96
If you typed more than one key, click the key to use as the
default key from the Key Index drop-down list.
The Firebox X Edge can use only one key at a time. If you select a key
other than the first key in the list, you must also set your wireless client
to use the same key.
WPA-PSK authentication
The encryption options for WPA-PSK authentication are TKIP, AES,
and Auto. WPA-PSK only operates correctly if you are using Windows XP Service Pack 2 or higher or have installed a driver for your
operating system that supports PSK.
We recommend that you set the WPA-PSK encryption option to
Auto to have the Firebox accept TKIP and AES settings.
From the navigation bar, select Network > Wireless and click
the Security tab.
If you use WEP/WPA encryption and use encrypted MUVPN at the same
time, network speeds will decrease.
Click Submit.
User Guide
97
with MAC address restrictions to keep your wireless network connections secure.
3
4
5
98
Click Add.
Repeat steps 34 for each computer that can connect to the Edge.
Click Submit.
NW
OTE
ARNING
Both guests and regular Firebox users can get access to the
Firebox X Edge through the wireless interface. Guest users can
connect to all regular Firebox user computers on the wireless
network and Firebox users can connect to all guest user
computers. If you host wireless access for people outside your
organization and keep other security settings low, the
confidentiality of your data is at risk.
User Guide
99
Select the Enable guest services check box to turn on the guest
service feature.
When you enable this feature, you also enable the default local user
account guest. Any user who gets access to the Firebox as a guest user
must use the local user account named guest. You cannot change the
default name of the guest account.
100
User Guide
101
3
4
5
6
7
8
102
CHAPTER 7
Configuring Firewall
Settings
The Firebox X Edge uses services and other firewall options to control
the traffic between the trusted, optional, and external networks. The
configuration of allowed services and firewall options set the level of
security the Firebox applies to your network.
About Services
A Firebox service is one or more rules that together monitor and control traffic. These rules set the firewall actions for a service:
Allow lets data or a connection through the Firebox.
Deny stops data or a connection from going through the Firebox,
and sends a response to the source.
No Rule sets a rule to off, as if the rule was not defined. This
option is available to allow you to manage only the incoming or
only the outgoing properties of a service.
For example, to operate a web server behind the Firebox X Edge, configure the HTTP service to let incoming traffic flow to the IP address of
the web server (the internal computer that receives the requests for
web pages).
User Guide
103
104
NOTE
NOTE
The incoming services in this section have no effect on traffic
between the trusted and optional networks. These services also
have no effect on traffic between computers on the trusted
network or between computers on the optional network.
User Guide
105
106
5
6
Click Submit.
Repeat steps 15 to allow or deny more common services.
NOTE
NOTE
If you set a common service to Allow, the Edge allows traffic that
uses that service from any source on the external network. Traffic
from that service goes to the service host.
To limit which the external sources can use the ports and
protocols of the service you are adding, create a custom service.
User Guide
107
108
5
6
7
In the Service Name text box, type the name for your service.
From the Protocol Settings drop-down list, select TCP Port,
UDP Port, or Protocol.
In the text box adjacent to the Port/Protocol drop-down list,
type a port number or protocol number. To use a range of ports,
type a port number in the second text box.
NOTE
NOTE
An IP protocol number is not the same as a TCP or UDP port
number. TCP is IP protocol number 6 and UDP is IP protocol
number 17. If you use an IP protocol that is not TCP or UDP, you
must enter its number. IP protocols numbers include: 47 for GRE
(Generic Routing Encapsulation) and 50 for ESP (Encapsulated
Security Payload). Most settings are done with TCP or UDP ports.
Click Add.
Repeat steps 68 until you have a list of all the ports and protocols that
this service uses. You can add more than one port and more than one
protocol to a custom service. More ports and protocols make the
network less secure. Add only the ports and protocols that are necessary.
User Guide
109
1
2
Click Add. The From box shows the host range, host IP address,
or network IP address that you typed.
Repeat steps 35 until all of the address information for this custom
service is set. The From box can have more than one entry.
Click Submit.
110
Click Add. The From box shows the IP addresses you added.
Repeat steps 24 until all of the address information for this custom
service is set. The From box can have more than one entry.
Click Submit.
User Guide
111
NOTE
NOTE
The outgoing services in this section have no effect on traffic
between the trusted and optional networks. These services also
have no effect on traffic between computers on the trusted
network or between computers on the optional network.
112
NOTE
NOTE
To limit traffic sent from the trusted or optional networks not
specified in a common service, you must create a custom service.
User Guide
113
2
3
114
5
6
7
In the Service Name text box, type the name for your service.
From the Protocol drop-down list, select TCP Port, UDP Port, or
Protocol.
In the text box adjacent to the Protocol drop-down list, type a
port number or protocol number. To use a range of ports, type a
port number in the second text box.
NOTE
NOTE
An IP protocol number is not the same as a TCP or UDP port
number. TCP is IP protocol number 6 and UDP is IP protocol
number 17. If you use an IP protocol that is not TCP or UDP, you
must enter its number. IP protocols numbers include: 47 for GRE
(Generic Routing Encapsulation) and 50 for ESP (Encapsulated
Security Payload). Most settings are done with TCP or UDP ports.
Click Add.
Repeat steps 68 until you have a list of all the ports and protocols that
this service uses. You can add more than one port and more than one
protocol to a custom service. More ports and protocols can make the
network less secure. Add only the ports and protocols that are necessary.
User Guide
115
116
To allow all traffic from the trusted network, select Allow for
the Outgoing service from the Filter drop-down list.
To deny all traffic from the trusted network, select Deny for the
Outgoing service from the Filter drop-down list.
To deny some traffic, but allow all other traffic from the trusted
network to the optional network, set the Outgoing service to
Deny from the Filter drop-down list. Then, for each service that
is permitted, select Allow from the Filter drop-down list.
Click Submit.
User Guide
117
NOTE
NOTE
When you select the Disable traffic filters check box, the trusted
network is not protected from the optional network. All traffic
can flow between optional and trusted network.
118
Click Add.
User Guide
119
120
Click Submit.
Select the Do not allow FTP access to the Edge from the
Trusted Network check box.
Click Submit.
NOTE
NOTE
You must clear the Do not allow FTP access to the Edge from
the Trusted Network check box when you apply an update to
the Edge firmware with the automatic installer. If you do not clear
this check box, the Software Update Installer cannot move
firmware files to the Firebox X Edge.
NOTE
NOTE
If software that uses SOCKS operates on a computer put on the
trusted network, then all users on the trusted network can use the
SOCKS proxy. To stop this risk, disable the SOCKS proxy on your
Firebox X Edge.
User Guide
121
NOTE
NOTE
The Firebox X Edge uses port 1080 to speak to computers with
software using SOCKS. Make sure that port 1080 is open and not
used by other software on the computer.
1
2
3
2 Click Submit.
To use the SOCKS-compatible application:
1 Clear the Disable SOCKS proxy check box.
The SOCKS proxy is enabled.
122
Click Submit.
NOTE
NOTE
Recording all outgoing traffic creates a large number of log
records. We recommend that you record all the outgoing traffic
only as a problem-solving tool, unless you send log messages to a
remote Log Server.
1
2
User Guide
123
Click Submit.
If the changes are successful, you must restart the Firebox.
NOTE
NOTE
If the field marked MAC address for the external network is
cleared and the Firebox X Edge is restarted, the Firebox X Edge
uses the standard MAC address for the external network.
124
CHAPTER 8
Configuring Logging
and System Time
A log file is a list of all the events that occur on the Firebox X Edge.
An event is one activity, such as when the Firebox denies a packet. A
log file records and saves information about these events.
An event log message is an important part of a network security policy.
A sequence of denied packets can show a pattern of suspicious network activity. Log records can help you identify possible security problems.
NOTE
The Firebox X Edge log is cleared if the power supply is disconnected
or the Edge is restarted. To keep the information permanently, you
must configure an external syslog or Log Server.
User Guide
125
Category
The type of message. For example, if the message came from an
IP address or from a configuration file.
Message
The text of the message.
Use this procedure to see the event log file:
126
WatchGuard System Manager User Guide. Use these instructions to send your
event logs to the Log Server.
3
4
Below Primary Log Host, type the IP address of the primary Log Server in
the Log Host IP Address field.
Type a passphrase in the Log Encryption Key field and confirm the
passphrase in the Confirm Key field.
The same passphrase must also be used when the Log Server is configured to
receive log messages from this Firebox X Edge.
User Guide
127
Click Submit.
3
4
5
128
Click Submit.
NOTE
Because syslog traffic is not encrypted, syslog messages that are
sent through the Internet decrease the security of the trusted
network. Use a VPN tunnel to increase the security of syslog
message traffic. If the syslog messages go through a VPN tunnel,
IPSec technology encrypts the data.
User Guide
129
3
4
130
If you set the system time automatically, the Edge gets the
current time from the selected server in the NTP Servers list. If a
server is not available, the Edge uses the subsequent server.
- To add a time server, type the server name in the Add New
Server field and click Add.
- To remove a time server, select the server from the NTP Servers
list and click Remove.
- Click a server to select it as the default time server.
To save your changes, skip to step 8.
If you set the system time manually, you must set the date and
time separately.
- Select the month from the first drop-down list.
- Select the year from the second drop-down list.
- Click the button with the number that is todays date.
Click Submit.
User Guide
131
132
CHAPTER 9
The Firebox X Edge includes tools you can use to manage your network and your users. You can create users and manage access to the
Internet or to your VPN tunnels with user authentication. Or, you can
allow free access to the Internet and VPN tunnels to all users. In this
chapter, you learn to do these tasks:
Examine current users and properties
Configure local Firebox authentication
Configure the Firebox to use LDAP or Active Directory
authentication
Allow internal hosts to bypass user authentication
NOTE
Only sessions from computers on the Edges trusted or optional
network to computers on the external network use a user license. For
User Guide
133
On the Firebox Users page, you can see information about sessions
in the Active Sessions section. You can also see information on the
users that you configured for this Edge.
Active Sessions
If local user accounts are enabled, the Active Sessions section of the
Firebox Users page shows information for all current sessions,
including:
The name of the user who started the session
The total time since the session started
The time between the last packet and the session expiration is
known as the idle time. If the idle time is set to 0 hours and 0
minutes, the Firebox does not disconnect the session.
134
If local user accounts are not enabled, each active session shows the
IP address of the hosts that have started sessions.
Stopping a session
The Edge monitors and records the properties of each user session.
If the Automatic Session Termination time limit for all sessions is
reached, or if the Edge restarts, all sessions are stopped at the same
time. The Edge administrator can also use the Firebox Users page to
stop a session.
To stop a session manually:
Find the session in Active Sessions list. Click the Close button.
To stop all sessions, click the Close All button.
If Firebox user authentication is enabled for external network connections, a session stops when one of these events occurs:
The idle time-out limit set for that account is reached.
The maximum time limit set for that account is reached.
The Firebox user manually stops the session.
To stop the session, the user clicks the Logout button on the
Login Status dialog box and closes all open browser windows.
User Guide
135
License upgrades are available from your reseller or from the WatchGuard web site:
http://www.watchguard.com/products/purchaseoptions.asp
If a session used a user license and the session closes, the user
license is available for a different user. For more information on user
licenses, see About User Licenses on page 137.
If local user accounts are enabled, you also see information about
Internet and VPN access rights .
136
User Guide
137
138
User Guide
139
You can lock the MUVPN client security policy (.wgx file) to
prevent accidental changes. Select the Make the MUVPN client
security policy read-only check box.
140
Required
The mobile user must use a virtual adapter to connect with the
MUVPN client.
You can also enter a WINS Server address and DNS Server
address. Type the server IP addresses in the related field.
For more information on configuring the Mobile User VPN client
computer, see Chapter 10, Configuring the MUVPN Client.
NOTE
If your web browser is configured to block pop-up windows, it is
possible that some dialog boxes used by the Edge will not appear.
This includes dialog boxes used by wizards, and the dialog box
used to log in to the Edge.
When you authenticate with the Edge, one of two screens appears.
A user with Read-Only or Full Administrative Access sees the Firebox
X Edge System Status page. A user with Administrative Access set to
None sees a dialog box with an authentication status message. This
dialog box is known as the Login Status dialog box.
If you are using local authentication, you must type your name as it
appears in the Firebox user list. If you use Active Directory or
another LDAP server for authentication through the Firebox X Edge,
you must include the domain name. For example, if the administra-
User Guide
141
tor authenticates using the local Firebox user list, the administrator
types admin. If the admin user authenticates with an LDAP authentication server through the Firebox X Edge, the administrator must
type MyCompany\admin.
When you authenticate with the Edge and make an Internet connection, your user name appears in the Active Sessions section of
the Firebox Users page.
142
In the Account Name field, type a name for the account. The
user types this name when authenticating.
The account name is case-sensitive.
In the Full Name field, type the first and last name of the user.
This is for your information only. A user does not use this name during
authentication.
8
9
User Guide
143
NOTE
If you have Read-Only or Full access, the Edges configuration
pages appear when you authenticate to the Edge. If you have an
Administrative access of None, the Login Status dialog box
appears when you authenticate to the Edge. If you have ReadOnly or Full access, you can click on the Authenticate User link at
the bottom of the navigation pane on the left to open the Login
Status dialog box.
For more information, see Creating a read-only administrative
account, on page 144.
144
If you try to do these things, you get a message that tells you that
you have read-only access and cannot change the configuration file.
To create a read-only user account, edit the user account. Use the
Administrative Access drop-down list to select Read Only.
User Guide
145
4
5
Click Submit.
Type the old password and a new password. Confirm the new
password.
146
ward user authentication requests to a generic LDAP or Active Directory server. You can use LDAP authentication and local Firebox
authentication at the same time.
With LDAP authentication, user privileges are controlled on a group
basis. You can add the names of your existing LDAP or Active Directory user groups to the Firebox configuration and assign privileges
and a WebBlocker profile. When users authenticate to the Firebox,
they prepend their LDAP domain name to their user name in the
authentication dialog box (domain\user name). If you use an Active
Directory authentication server, users can also authenticate using
their fully qualified domain name (username@mycompany.com).
User Guide
147
In the Domain Name text box, type the name of the LDAP
domain. Do not include the top-level domain.
The domain (or host) name is the part of your companys URL that ends
with .com, .net, .org, .biz, .gov, or .edu. For example, if your company URL
is mycompany.com, type mycompany in the Domain Name text box.
148
From the LDAP server type drop-down list, select the type of
LDAP implementation you use in your organization: Active
Directory or Generic LDAP.
In the LDAP Server Port text box, type the port number the
Firebox X Edge will use for connections to the LDAP server.
The default LDAP server port number is 389. You do not usually have to
change this number.
In the Search Base text box, type the base in the LDAP directory
to start the search for user account entries. This must be a
legitimate LDAP DN (Distinguished Name).
A Distinguished Name is a name that uniquely identifies an entry in an
LDAP directory. A DN includes as many qualifiers as it must to find an
entry in the directory. For example, a DN can look like this:
OU=user accounts,DC=mycompany,DC=com
10 If you select Generic LDAP as the LDAP server type, you must
enter a Login Attribute Name and Group Attribute Name in
the appropriate text boxes. These text boxes do not appear if
you select Active Directory as the LDAP server type.
The Login Attribute Name is the name of the login name
attribute of user entries in the LDAP directory.
The Group Attribute Name is the name of the group
membership attribute of user entries in the LDAP directory.
11 Click Submit.
User Guide
149
Adding a group
1
From the navigation bar, select Firebox Users > New Group.
150
In the Account Name text box, type the name of the new
group. This name must match the name of a group in the LDAP
directory.
This name must contain only letters, numbers, and the underscore (_)or
dash (-) characters. Spaces are not permitted.
Use the Session maximum time-out text box to set the number
of minutes a user session started by a member of this group is
allowed to stay active. When this limit occurs, the Firebox will
close the session.
Use the Session idle time-out text box to set the number of
minutes a user session started by a member of this group can
stay idle before it is automatically closed by the Firebox.
User Guide
151
Select the Allow access to VPN check box to allow the members
of this group to access VPN tunnels using the Firebox X Edge.
10 Click Submit.
152
From the navigation bar, select Firebox Users > Trusted Hosts.
The Firebox Users Trusted Hosts page appears.
Click Add.
Repeat step 2 for other trusted computers.
Click Submit.
To remove a computer from the list, select the address and click
Remove.
User Guide
153
154
CHAPTER 10
Configuring
WebBlocker
WebBlocker is an option for the Firebox X Edge that gives you control
of the web sites that are available to your users. Some companies
restrict access to some web sites to increase employee productivity.
Other companies restrict access to offensive web sites.
NOTE
NOTE
You must purchase the WebBlocker upgrade to use this feature.
User Guide
155
Configuring WebBlocker
156
Activate WebBlocker
Set the full access password
Set the inactivity time-out
Set a rule for the Firebox action if the Firebox X Edge cannot
connect to the WebBlocker server
Set a rule for the Firebox action if the WebBlocker license
expires
Add a custom message for users to see when WebBlocker denies
access to a web site
To configure WebBlocker:
5
6
User Guide
157
Configuring WebBlocker
Add a custom message for users to see when they try to access a
web page that is blocked by WebBlocker. This message will
appear with the usual WebBlocker message.
The message cannot contain HTML tags, the less than (<) or greater than
(>) symbols, and cannot be more than 1000 characters in length.
For example, you can enter a message This web site does not comply
with our Internal Use Policy. If a user tries to access a web site that is
blocked by WebBlocker, the users browser will show:
10 Click Submit.
158
User Guide
159
Configuring WebBlocker
Click New.
The New Profile page appears.
6 Click Submit.
To remove a profile, from the WebBlocker Profiles page, select the
profile from the Profile drop-down list. Click Delete.
NOTE
NOTE
If you do not use user authentication, the default WebBlocker
profile is applied to all users. For more information about user
authentication, see Chapter 9 Managing Users and Groups.
160
WebBlocker Categories
WebBlocker Categories
The WebBlocker database contains nine groups of categories with
40 individual categories. A web site is added to a category when the
contents of the web site meet the correct criteria. Web sites that
give opinion or educational material about the subject matter of the
category are not included. For example, the drugs/drug culture category denies sites that tell how to use marijuana. They do not deny
sites with information about the historical use of marijuana.
User Guide
161
Configuring WebBlocker
Category
Description of Content
Adult/
Sexually
Explicit
Advertisements
Banner Ad servers
Pop-up advertisements
Adware
Arts &
Entertainment
Chat
Web-based chat
Instant Message servers
162
WebBlocker Categories
Category
Description of Content
Computing
and
Internet
Criminal
Skills
Drugs,
Alcohol, &
Tobacco
User Guide
163
Configuring WebBlocker
Category
Description of Content
Education
Finance &
Investment
Food &
Drink
Gambling
Games
Glamour
& Intimate
Apparel
164
WebBlocker Categories
Category
Description of Content
Government &
Politics
Hacking
User Guide
165
Configuring WebBlocker
Category
Description of Content
Hate
Speech
Health &
Medicine
166
WebBlocker Categories
Category
Description of Content
Hobbies &
Recreation
Hosting
Sites
Job
Search &
Career
Development
Kids Sites
Lifestyle &
Culture
Motor
Vehicles
News
Newspapers online
Headline news sites, newswire services, and
personalized news services
Weather sites
User Guide
167
Configuring WebBlocker
Category
Description of Content
Personals
& Dating
Photo
Searches
Real
Estate
Reference
Religion
Remote
Proxies
Search
Engines
Sex
Education
168
WebBlocker Categories
Category
Description of Content
Shopping
Sports
Streaming
Media
Travel
User Guide
169
Configuring WebBlocker
Category
Description of Content
Violence
Weapons
Web-based
E-mail
Usenet/
Forums
For information on how to see if a web site is included in the SurfControl database, read the How can I see a list of blocked sites?
topic in this FAQ:
https://www.watchguard.com/support/AdvancedFaqs/web_main.asp
170
NOTE
NOTE
This WebBlocker feature only applies to web sites on the Internet.
You cannot use WebBlocker to block your users from web sites
behind the Firebox.
User Guide
171
Configuring WebBlocker
To add a domain name, type the URL pattern without the leading
"http://". For example, to allow access to the Google web site, select to
add a domain name and enter google.com.
If the site has a subdomain that resolves to a different IP address, you
must enter that subdomain to allow it. For example, if www.site.com
and site.com are on different servers, you must add both entries.
Click Add.
The site is added to the Allowed Sites list.
Click Submit.
To remove an item from the Allowed Sites list, select the address and
click Remove, then click Submit.
172
Bypassing WebBlocker
Click Add.
The site is added to the Denied Sites list.
Click Submit.
To remove an item from the Denied Sites list, select the address and
click Remove and then click Submit.
Bypassing WebBlocker
You can make a list of internal hosts that bypass WebBlocker. The
internal hosts that you put on this list also bypass any user authentication settings. If a user is on this list, that user does not have to
authenticate to get access to the Internet. No WebBlocker rules
User Guide
173
Configuring WebBlocker
apply to the users on this list. For more information about user
authentication, see Chapter 9, Managing Users and Groups.
From the navigation bar, select Firebox Users > Trusted Hosts.
The Firebox Users Trusted Hosts page appears.
Click Add.
Repeat step 2 for other trusted computers.
Click Submit.
To remove a computer from the list, select the address and click
Remove.
174
CHAPTER 11
Configuring Virtual
Private Networks
User Guide
175
176
Managed VPN
trusted network if those computers get their IP addresses from the Edge
using DHCP. If you want to give the computers IP addresses of WINS and
DNS servers on the other side of the VPN, you can type those addresses
into the DHCP settings in the trusted network setup. For information on
how to configure the Edge to give DHCP addresses, see Using DHCP on
the trusted network on page 68.
Managed VPN
You can configure a VPN tunnel on the Firebox X Edge with two
procedures: Managed VPN and Manual VPN. For information on
creating a Manual VPN, see Manual VPN: Setting Up Manual VPN
Tunnels on page 178.
User Guide
177
178
You must know the authentication method for each end of the
tunnel (MD5 or SHA1). Each VPN device must use the same
authentication method.
We recommend that you write down your Firebox X Edge configuration, and the related information for the other device. Use the Sample VPN Address Information table on the subsequent page to
record this information.
User Guide
179
Description
Assign
External IP
Address
ISP
Site A: 207.168.55.2
Site B: 68.130.44.15
Local Network
Address
You
Site A: 192.168.111.0/24
Site B: 192.168.222.0/24
Shared Key
You
Site A: OurSharedSecret
Site B: OurSharedSecret
Encryption
Method
You
Site A: 3DES
Site B: 3DES
Authentication
You
180
Click Add.
The Add Gateway page appears.
Phase 1 settings
Internet Key Exchange (IKE) is a protocol used with VPN tunnels to
manage keys automatically. IKE negotiates and changes keys. Phase
1 authenticates the two sides and creates a key management
security association to protect tunnel data.
User Guide
181
The default settings for Phase 1 are the same for all Firebox X
devices. Many users keep the factory-default settings.
NOTE
NOTE
Make sure that the Phase 1 configuration is the same on the two
devices.
NOTE
NOTE
If your Edges external interface has a private IP address instead of
a public IP address, then your ISP or the Internet access device
connected to the Edges external interface (modem or router) does
Network Address Translation (NAT). See the instructions at the end
of this section if your Edges external interface has a private IP
address.
182
Type the number of kilobytes and the number of hours until the
IKE negotiation expires.
To make the negotiation never expire, enter zero (0). For example, 24
hours and zero (0) kilobytes means that the phase 1 key is negotiated
every 24 hours no matter how much data has passed.
Select the group number from the Diffie-Hellman Group dropdown list. WatchGuard supports group 1 and group 2.
Diffie-Hellman groups securely negotiate secret keys through a public
network. Group 2 is more secure than group 1, but uses more processing
power and more time.
Select the Send IKE Keep Alive Messages check box to help
find when the tunnel is down.
Select this check box to send short packets across the tunnel at regular
intervals. This helps the two devices to see if the tunnel is up. If the Keep
Alive packets get no response after three tries, the Firebox X Edge starts
the tunnel again.
NOTE
NOTE
The IKE Keep Alive feature is different from the VPN Keep Alive
feature in VPN Keep Alive, on page 186.
User Guide
183
Speak with the NAT devices manufacturer for information on opening these ports and protocols on the NAT device.
If your Edges external interface has a private IP address, you cannot
use an IP Address as the local ID type in the Phase 1 settings.
Because private IP addresses cannot get through the Internet, the
other device cannot find your Edges private external IP address
through the Internet.
If the NAT device to which the Edge is connected has a dynamic
public IP address:
- You must first set the device to Bridge Mode. In Bridge Mode,
the Edge will get the public IP address on its external interface.
Refer to the manufacturer of your NAT device for more
information.
- Then, set up Dynamic DNS on the Edge. For information, see
Registering with the Dynamic DNS Service on page 81. In the
Phase 1 settings of the Manual VPN, set the local ID type to
Domain Name. Enter the DynDNS domain name as the Local
ID. The remote device must identify your Edge by domain
name and it must use your Edges DynDNS domain name in its
Phase 1 setup.
If the NAT device to which the Edge is connected has a static
public IP address:
- In the Phase 1 settings of the Manual VPN, set the local ID
type drop-down list to Domain Name. Enter the public IP
address assigned to the NAT devices external interface as the
local ID. The remote device must identify your Edge by domain
name, and it must use this same public IP address as the
domain name in its Phase 1 setup.
Phase 2 settings
Phase 2 negotiates the data management security association for
the tunnel. The tunnel uses this phase to create IPSec tunnels and
put data packets together.
You can use the default Phase 2 settings to make configuration easier.
NOTE
NOTE
Make sure that the Phase 2 configuration is the same on the two
devices.
184
Type the number of kilobytes and the number of hours until the
Phase 2 key expires.
To make the key not expire, enter zero (0). For example, 24 hours and
zero (0) kilobytes means that the Phase 2 key is renegotiated each 24
hours no matter how much data has passed.
Type the IP address of the local network and the remote
Click Add.
Repeat step 5 if you must add additional networks.
User Guide
185
Click Submit.
186
Click Submit.
User Guide
187
the devices cannot be made unless the two devices know how to
find each other.
You can use Dynamic DNS if you cannot get a static external IP
address. For more information, see Registering with the Dynamic
DNS Service on page 81.
If you can ping the external address of each Firebox X Edge, try
to ping a local address in the remote network.
From a computer at Site A, ping the internal interface IP address of the
remote Firebox X Edge. If the VPN tunnel is up, the remote Edge sends
the ping back. If the ping does not come back, make sure the local
configuration is correct. Make sure that the local DHCP address ranges
for the two networks connected by the VPN tunnel do not use any of the
same IP addresses. The two networks connected by the tunnel must not
use the same IP addresses.
188
a Firebox X Edge Model Upgrade from a reseller or from the WatchGuard Web site:
http://www.watchguard.com/products/purchaseoptions.asp
User Guide
189
190
CHAPTER 12
Configuring the
MUVPN Client
Mobile User VPN lets remote users connect to your internal network
through a secure, encrypted channel. The MUVPN client is a software
application that is installed on a remote computer. The client makes a
secure connection from the remote computer to your protected network through an unsecured network. The MUVPN client uses Internet
Protocol Security (IPSec) to secure the connection.
This example shows how the MUVPN client is used:
The MUVPN client software is installed on a remote computer.
The remote user imports a configuration file (.wgx file) to
configure the client software.
The user connects to the Internet with the remote computer. The
user starts the MUVPN client by activating the security policy.
The MUVPN client creates an encrypted tunnel to the Firebox X
Edge.
The Firebox X Edge connects the remote computer to the trusted
network. The employee now has secure remote access to the
internal network.
The MUVPN client is available in two different packages. One version
includes ZoneAlarm, a personal software-based firewall. ZoneAlarm
gives remote computers more security. The other package does not
User Guide
191
192
User Guide
193
Preferred
If the virtual adapter is in use or it is not available, the mobile
user does not use a virtual adapter to connect with the MUVPN
client.
If the virtual adapter is available, the remote computer is
assigned the WINS and DNS addresses you entered in the
Firebox Users > Settings area of the Edge configuration pages.
Required
The mobile user must use a virtual adapter to connect with the
MUVPN client. If the virtual adapter is not available on the
MUVPN client computer, the VPN tunnel cannot connect.
The remote computer is assigned WINS and DNS addresses you
entered in the Firebox Users > Settings area of the Edge
configuration pages.
Type the IP addresses of the DNS and WINS servers for the
MUVPN clients.
For more information on these settings, see Configuring MUVPN
client settings on page 140.
2
3
194
Select Mobile User from the VPN Client Type drop-down list if
the remote user is connecting from a desktop or laptop
computer instead of a handheld device such as a Pocket PC.
User Guide
195
NOTE
WatchGuard does not distribute a MUVPN software package for
Pocket PCs. You must examine the software manufacturers
instructions to configure their software and the Pocket PC. For
more information about configuring your Pocket PC as an MUVPN
client, see Tips for Configuring the Pocket PC on page 214.
196
NOTE
The shared key is highly sensitive information. For security
reasons, we recommend that you do not give the user the shared
key in an e-mail. Because e-mail is not secure, an unauthorized
user can get the shared key. Give the user the shared key by telling
it to the user, or by some other method that does not allow an
unauthorized person to get the shared key.
User Guide
197
Windows NT setup
Use this section to install the network components for the Windows
NT operating system. These components must be installed before
you can use the MUVPN client on a Windows NT computer.
From the Windows desktop, select Start > Settings > Control
Panel.
3
4
198
6
7
NOTE
If there is no modem installed, select the check box marked Don't
detect my modem; I will select it from a list. Select the standard
28800 modem. If a modem is not available, you can select a serial
cable between two computers.
3
4
5
6
The DNS server on the private network of the Firebox X Edge must
be the first server in the list.
Click the WINS Address tab, type the IP address of your WINS
server in the applicable field, and then click OK.
You can also add a secondary or backup WINS server IP address.
User Guide
199
1
2
3
4
Click Install.
The Select Network Component Type window appears.
Click Install.
The Select Network Component Type window appears.
200
Click Install.
The Select Network Component Type window appears.
Click Advanced.
The Advanced TCP/IP Settings window appears.
Click the DNS tab and from the section labeled DNS server
addresses, in order of use, click Add.
The TCP/IP DNS Server window appears.
The DNS server on the private network of the Firebox X Edge must
be the first server in the list.
Select the Append these DNS suffixes (in order) radio button
and click Add.
The TCP/IP Domain Suffix window appears.
Type the domain suffix in the applicable field and click Add.
To add more DNS suffixes, repeat steps 5 and 6.
Click the WINS tab. From the section WINS addresses, in order
of use, click Add.
The TCP/IP WINS Server window appears.
User Guide
201
Windows XP setup
Use this section to install and configure the network components
for the Windows XP operating system. You must install these components if you use the MUVPN client on a Windows XP computer.
From the Windows desktop:
2
3
Click Install.
The Select Network Component Type window appears.
202
Click Install.
The Select Network Component Type window appears.
Click Install.
The Select Network Component Type window appears.
1
2
4
5
Type the IP address of the DNS server in the related field and
click Add.
User Guide
203
NOTE
The DNS server on the private network of the Firebox X Edge must
be the first server in the list.
7
8
Select the Append these DNS suffixes (in order) radio button.
Below the radio button, click Add.
The TCP/IP Domain Suffix window appears.
12 Type the IP address of the WINS server in the related field and
click Add.
To add more WINS servers, repeat steps 11 and 12.
204
Copy the MUVPN installation program and the .wgx file to the
remote computer.
Click Next.
If the InstallShield shows a message about read-only files, click Yes to
continue the installation.
NOTE
The ZoneAlarm personal firewall could prevent you from
connecting to the network after the computer restarts. If this
occurs, log on to the computer locally the first time after
installation. For more information, see The ZoneAlarm Personal
Firewall on page 211.
User Guide
205
1
2
3
4
NOTE
The ZoneAlarm personal firewall settings are kept in these
directories by default.
Windows NT and 2000: c:\winnt\internet logs\
Windows XP: c:\windows\internet logs
To remove these settings, delete the contents of the appropriate
directory.
206
From the Windows desktop, select Start > Programs > Mobile
User VPN > Connect.
The WatchGuard Mobile User Connect window appears.
Click Yes.
The MUVPN Security Policy is not active. This icon can appear if
the Windows operating system did not start a required MUVPN
service. If this occurs, the remote computer must be restarted. If
the problem continues, remove and install the MUVPN client
again.
Activated
User Guide
207
208
IreIKE.exe
The ZoneAlarm personal firewall detects when these programs try to
get access to the Internet. A New Program alert window appears to
request access for the MuvpnConnect.exe program.
From the New Program alert window:
Select the Remember this answer the next time I use this
program check box, then click Yes.
This option makes the ZoneAlarm personal firewall allow Internet access
for this program each time you start a MUVPN connection.
The New Program alert window appears to request access for the
IreIKE.exe program.
Set the Remember this answer the next time I use this
program check box, then click Yes.
This option makes the ZoneAlarm personal firewall allow Internet access
for this program each time you start a MUVPN connection.
Click Yes.
User Guide
209
1
2
1
2
210
User Guide
211
IreIKE.exe
MuvpnConnect.exe
CmonApp.exe
ViewLog.exe
OUTLOOK.exe
MS Internet Explorer
IEXPLORE.exe
Netscape 6.1
netscp6.exe
Opera.exe
lsass.exe
services.exe
svchost.exe
winlogon.exe
Click Yes.
Uninstalling ZoneAlarm
From the Windows desktop:
Select Start > Programs > Zone Labs > Uninstall ZoneAlarm.
The Confirm Uninstall dialog box appears.
Click Yes.
The ZoneLabs TrueVector service dialog box appears.
Click Yes.
The Select Uninstall Method window appears.
4
5
212
NOTE
The Remove Shared Component window can appear. During the
initial installation of ZoneAlarm, some files were installed that can
be shared by other programs on the system. Click Yes to All to
completely remove all of these files.
2
3
Click Submit.
Now you must decide which networks the wireless computers can
connect with. When the wireless computers must authenticate as
MUVPN clients, you can allow the computers to connect to:
Trusted network only
User Guide
213
2
3
Click Submit.
User Guide
215
If all traffic from the Pocket PC must flow through the VPN,
select the check box All traffic uses tunnel (0.0.0.0/0 IP
Subnet) in the Firebox users MUVPN setup.
Troubleshooting Tips
You can get more information about the MUVPN client from the
WatchGuard Web site:
http://www.watchguard.com/support
Here are the answers to some frequently asked questions about the
MUVPN client:
1
2
216
Troubleshooting Tips
5 Click Yes.
I must enter my network login information even when
I am not connected to the network.
When you start your computer, you must type your Windows network user name, password, and domain. It is very important that
you type this information correctly. Windows keeps this information
for use by network adapters and network applications. When you
connect through the MUVPN client, your computer uses this information to connect to the company network.
I am not asked for my user name and password when I
turn my computer on.
The ZoneAlarm personal firewall application can cause this problem.
ZoneAlarm keeps your computer secure from unauthorized incoming and outgoing traffic. It can also prevent your computer from
sending its network information. This prevents your computer from
sending the login information. Make sure you turn off ZoneAlarm
each time you disconnect the MUVPN connection.
Is the MUVPN tunnel working?
The MUVPN client icon appears in the Windows desktop system tray
when the software application is started. The MUVPN client shows a
key in the icon when the client is connected.
To test the connection, ping a computer on your company network.
Select Start > Run. Type cmd and click OK. At the command
prompt, type ping and the IP address of a computer on your
company network.
My mapped drives have a red X through them.
Windows NT and 2000 examine and map network drives automatically when the computer starts. Because you cannot create a remote
session with the company network before the computer starts, this
procedure fails, which causes a red X to appear on the drive icons.
To correct this problem, start a MUVPN tunnel and open the network drive. The red X for that drive disappears.
User Guide
217
1
2
4 Click OK.
The mapped drive appears in the My Computer window. Even if you
select the Reconnect at Logon check box, the mapped drive appears
when you start your computer only if the computer is directly connected to the network.
I am sometimes prompted for a password when I am
browsing the company network.
Because of a Windows networking limitation, remote user VPN
products can allow access only to a single network domain. If your
company has more than one network connected together, you can
only browse your own domain. If you try to connect to other
domains, a password prompt appears. Unfortunately, even if you
give the correct information, you cannot get access to these other
networks.
It takes a very long time to shut down the computer
after using the MUVPN client.
If you get access to a mapped network drive during an MUVPN session, the Windows operating system does not shut down until it
gets a signal from the network.
I lost the connection to my ISP, and now I cannot use
the company network.
If your Internet connection is interrupted, the connection to the
MUVPN tunnel could stop. Follow the procedure to close the tunnel.
Reconnect to the Internet, then restart the MUVPN client.
218
APPENDIX A
Firebox X Edge
Hardware
User Guide
219
220
Processor
64 bit MIPS
CPU
266 MHz
Memory - Flash
16 MB
Memory - RAM
64 MB
Ethernet interfaces
10 each 10/100
Serial ports
1 DB9
Power supply
12V DC
Hardware Description
Operating Temperature
0 - 40C
Environment
Dimensions
Depth = 5 inches
Width = 8.75 inches
Height = 1.25 inches
Weight
Hardware Description
The Firebox X Edge has a simple hardware architecture. All
indicator lights appear on the front panel while all ports and
connectors are on the rear panel of the device.
Front panel
The front panel of the Firebox X Edge has 24 indicator lights to
show the link status. The top indicator light in each link pair comes
on when a link is made and flashes when traffic goes through the
related interface. The bottom indicator light in each pair comes on
when the link speed is 100 Mbps. If the bottom indicator light does
not come on, the link speed is 10 Mbps.
WAN 1, 2
Shows a physical connection to the external Ethernet interfaces.
The indicator light is yellow when traffic goes through the
related interface.
WAP
Shows that the Firebox X Edge is activated as a wireless access
point. The indicator light is green when traffic goes through the
wireless interface on a Firebox X Edge Wireless model.
User Guide
221
F/O
Shows a WAN failover. The indicator light is green when there is
a WAN failover from WAN1 to WAN2. The indicator light goes
off when the external interface connection goes back to WAN1.
Link
The link indicator light shows a physical connection to a trusted
Ethernet interface. The trusted interfaces have the numbers 0
through 6. The indicator light comes on when traffic goes
through the related interface.
100
When a trusted network interface operates at 100 Mbps, the
related 100 indicator light comes on. When it operates at 10
Mbps, the indicator light does not come on.
Status
Shows a management connection to the Edge. The indicator
light goes on when you use your browser to connect to the Edge
configuration pages. The indicator light goes off a short time
after you close your browser.
Mode
Shows the status of the external network connection. The
indicator light comes on when the Ethernet cable is correctly
connected to the WAN1 interface. The indicator light is green if
the Edge can connect to the external network and send traffic.
The indicator light flashes if the Edge cannot connect to the
external network and send traffic.
Attn
Reserved for future use.
Power
Shows that the Firebox X Edge is on.
RESET button
Use the procedure to reset the Firebox X Edge to Factory
Default Settings on page 41.
222
Hardware Description
Rear view
Side panels
Computer Lock Slot
There is a slot for a computer lock on the two side panels of the
Firebox X Edge.
Antennae (wireless model only)
There are wireless antennae on the two side panels of the Firebox
X Edge Wireless models.
Wall mounting plate (wireless model only)
The wall mounting plate enables you to put the Firebox X Edge
in a good location to increase the range.
User Guide
223
This equation shows that the channel capacity (bits/s) is set by:
Channel bandwidth: 11 Mbits/s for 802.11b and 54 MBits/s for
802.11g
Signal strength: 15 dBm transmitted by the Firebox X Edge
Wireless
Noise level: Set by the environmental conditions and the design
of the receiver.
The maximum data rate cannot be more than the channel capacity.
Noise level
Channel capacity is decreased by increasing the noise level in the
frequency range of the system. The noise level is set by many factors. First, it is affected by background noise caused by the ambient
temperature of the atmosphere at the frequency range of the system. Also, the operating temperature of the components of the
802.11 g/b receiver creates noise. The primary cause of interference
is transmitters that use the same frequency range:
Cordless phones
An 802.11b device set to use adjacent channels. We recommend
that you set three channels between each adjacent wireless
access points (e.g. 1, 5, and 9 or 2, 6, and 10).
Microwave ovens
Sodium-type lighting systems (fusion lamps)
Arc welders (broadband spark-gap transmitters)
Blue-Tooth transmitters (A Blue-Tooth transmitter operates at a
lower power level than an 802.11b device. To cause
interference, the Blue-Tooth transmitter must be very near to an
802.11b receiver.)
Industrial, scientific, and medical equipment that can also
operate in this frequency range.
224
wavelength
User Guide
225
Channel bandwidth
Channel bandwidth changes when you use different modulations.
Devices compliant with the 802.11b standard use the CCK (11 Mbps,
5.5 Mbps), DQPSK (2 Mbps), and DBPSK (1 Mbps) modulation
schemes. 802.11g devices use OFDM. The Firebox X Edge automatically selects the modulation procedure that gives the lowest Packet
Error Rate (PER). The PER is not allowed to be more than eight per-
226
User Guide
227
228
APPENDIX B
Legal Notifications
User Guide
229
3. All advertising materials mentioning features or use of this software must display the
following acknowledgment: "This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote
products derived from this software without prior written permission. For written permission,
please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear
in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This
product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This
product includes software written by Tim Hudson (tjh@cryptsoft.com).
1995-2003 Eric Young (eay@cryptsoft.com)
All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions
are adhered to. The following conditions apply to all code found in this distribution, be it the
RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this
distribution is covered by the same copyright terms except that the holder is Tim Hudson
(tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be
removed. If this package is used in a product, Eric Young should be given attribution as the
author of the parts of the library used. This can be in the form of a textual message at program
startup or in documentation (online or textual) provided with the package. Redistribution and
use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials provided
with the distribution.
3. All advertising materials mentioning features or use of this software must display the
following acknowledgement: "This product includes cryptographic software written by Eric
Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the
library being used are not cryptographic related.
230
User Guide
231
232
Industry Canada
This Class A digital apparatus meets all requirements of the
Canadian Interference-Causing Equipment Regulations.
Cet appareil numerique de la classe A respecte toutes les
exigences du Reglement sur le materiel broulleur du Canada.
User Guide
233
CANADA RSS-210
The term IC: before the radio certification number only
signifies that Industry of Canada technical specifications were
met.
Operation is subject to the following two conditions: (1) this
device may not cause interference, and (2) this device must
accept any interference, including interference that may cause
undesired operation of the device.
France
NOTE! En France, ce produit ne peut tre install et opr qu'
l'intrieur, et seulement sur les canaux 10, 11, 12 , 13 comme
dfini par IEEE 802.11g/b. L'utilisation de ce produit l'extrieur
ou sur n'importe quel autre canal est illgal en France.
NOTE! In France, this product may only be installed and
operated indoors, and only on channels 10, 11, 12, 13 as defined
by IEEE 802.11g/b. Use of the product outdoors, or on any other
channel, is illegal in France.
234
Taiwanese Notices
User Guide
235
Declaration of Conformity
236
User Guide
237
THE USE OF OR INABILITY TO USE THE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE
OF ANY AGREED REMEDY.
5. MISCELLANEOUS PROVISIONS. This Warranty will be governed by the laws of the state of
Washington, U.S.A., without reference to its choice of law rules. The provisions of the 1980
United Nations Convention on Contracts for the International Sales of Goods, as amended, shall
not apply. You agree not to directly or indirectly transfer the Product or associated
documentation to any country to which such transfer would be prohibited by the U.S. Export
laws and regulations. If any provision of this Warranty is found to be invalid or unenforceable,
then the remainder shall have full force and effect and the invalid provision shall be modified or
partially enforced to the maximum extent permitted by law to effectuate the purpose of this
Warranty. This is the entire agreement between WatchGuard and you relating to the Product,
and supersedes any prior purchase order, communications, advertising or representations
concerning the Product AND BY USING THE PRODUCT YOU AGREE TO THESE TERMS. IF THE
PRODUCT IS BEING USED BY AN ENTITY, THE INDIVIDUAL INDICATING AGREEMENT TO THESE
TERMS BY USING THE PRODUCT REPRESENTS AND WARRANTS THAT (A) SUCH INDIVIDUAL IS
DULY AUTHORIZED TO ACCEPT THE WARRANTY ON BEHALF OF THE ENTITY AND TO BIND THE
ENTITY TO THE TERMS OF THIS WARRANTY; (B) THE ENTITY HAS THE FULL POWER, CORPORATE
OR OTHERWISE, TO ENTER INTO THE WARRANTY AND PERFORM ITS OBLIGATIONS UNDER THE
WARRANTY AND; (C) THE WARRANTY AND THE PERFORMANCE OF THE ENTITYS OBLIGATIONS
UNDER THE WARRANTY DO NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO WHICH THE ENTITY
IS A PARTY. No change or modification of the Warranty will be valid unless it is in writing and is
signed by WatchGuard.
238
Symbols
.wgx files
described 192
distributing 196
viewing available 34
A
Add Gateway page 181
Add Route page 79
Administration page
described 34
subpages of 35
Administrative Access levels 138
administrator account 145
Aggressive Mode 182
Allow access to the External Network check box 144
Allow access to VPN check box 144
Allowed Sites pages 171
antenna directional gain 225
authentication. See user authentication
B
bandwidth, described 2
Blocked Sites page 119
broadband connections 2
C
cables
included in package 11, 220
cabling
for 0-6 devices 19
for 7+ devices 20
channel bandwidth 226
CIDR notation 79, 110, 111, 185
Classless Inter Domain Routing 79, 110, 111, 185
Client for Microsoft Networks, installing 201
configuration file, viewing 57
User Guide
239
configuration pages
description 3040
navigating 30
opening 30
viewing 29
configuration pages. See also pages
Connection Monitor, using to monitor MUVPNs 210
custom incoming services, creating 107, 108, 113
Custom Service page 108, 114
D
daylight savings time 130
default factory settings 4142
Denied Sites page 172
DHCP
described 5, 60
setting your computer to use 22
using on the optional network 74
DHCP address reservations
setting on the optional network 75
setting on the trusted network 69
DHCP Address Reservations page 70, 76
DHCP relay
configuring the optional network 76
configuring the trusted network 70
DHCP server
configuring Firebox as 68, 74
dialog boxes
Internet Protocol (TCP/IP) Properties 22, 23
Wireless Network Connection 102
dialup settings, configuring 88
Diffie-Hellman groups 183
Digital Subscriber Line (DSL) 2
DNS service, dynamic 81
DNS settings, and WAN failover 88
DNS, described 6
DVCP, described 178
Dynamic DNS client page 82
dynamic DNS service, registering with 8182
Dynamic Host Configuration Protocol. See DHCP
dynamic IP addresses
described 14
240
E
echo host 187
Enable DHCP Relay check box 71
Enable DHCP Server on the Trusted Network check box 69
Enable Optional Network check box 73
event, described 125
external network
described 9
if ISP uses DHCP 61
if ISP uses PPPoE 63
if ISP uses static addressing 62
External Network Configuration page 61, 62, 63
F
factory default settings
described 41
resetting to 42
failover network. See WAN failover
feature key, described 26
File and Printer Sharing for Microsoft Networks
and Windows XP 203
File and Printer Sharing for Microsoft Networks, installing 200
Filter Traffic page 106, 112, 117
Firebox users
creating 142
viewing settings for 134
Firebox Users page 135, 142, 146, 148, 151
described 34
subpages of 34
Firebox X Edge
administrator account 145
and SOCKS 121
authenticating to 141
back panel 223
cabling 19
configuring as DHCP server 68
described 219
front panel 221
hardware description 221223
User Guide
241
H
hardware description 221223
hardware operating specifications 223
hardware specifications 220
HTTP proxy settings, disabling 17
HTTP server port, changing 45
HTTP/HTTPS, using for Firebox management 44
I
incoming service, creating custom 107, 108, 113
indicator lights 221
installation
determining TCP/IP settings 13
disabling TCP/IP proxy settings 17
setting your computer to connect to Edge 22
TCP/IP properties 14
installation requirements 11, 12
installing the Firebox X Edge 1127
Internet
242
L
lights on front panel 221
LiveSecurity Service
and software updates 52
registering with 26
Local Area Network (LAN)
described 2
Log Authentication Events check box 93
log messages
contents of 125
viewing 125
Log Viewer, using to monitor MUVPNs 210
logging
configuring 125131
described 125
to Syslog host 128
to WSEP lot host 126
viewing status of 37
Logging page 126
described 37
subpages of 37
M
Manual VPN page 181
Manual VPNs
creating 181
described 178
Manually configure DNS server IP addresses check box 88
model upgrades 56
modems
User Guide
243
N
navigation bar 31
netmask 14
Network Address Translation (NAT), and the Edge 14, 183
network addressing, described 13
network interfaces, configuring 5985
Network page
described 33
subpages of 3334
network security, described 1
Network Setup Wizard 59
Network Statistics page 80
network statistics, viewing 80
networks, types of 2
New User page 143
244
O
optional network
assigning static IP addresses on 77
changing IP address of 73
configuring 7278
configuring additional computers on 77
described 9, 72
enabling 73
setting DHCP address reservations on 75
using DHCP on 74
using DHCP relay on 76
Optional Network Configuration page 73, 74, 75, 77
options
model upgrade 56
MUVPN Clients 56
seat license upgrade 56
WAN failover 56
WebBlocker 56
P
package contents 11
packets, described 4
pages
Add Gateway 181
Add Route 79
Administration 34
Allowed Sites 171
Blocked Sites 119
Custom Service 108, 114
Denied Sites 172
DHCP Address Reservations 70, 76
Dynamic DNS client 82
External Network Configuration 61, 62, 63
Filter Traffic 106, 112, 117
Firebox Users 34, 135, 142, 146, 148, 151
Firewall 35
Firewall Options 120
Logging 37, 126
User Guide
245
246
entering settings 17
profiles
creating WebBlocker 159160
protocols
described 3
TCP, UDP 3
TCP/IP 3
Q
Quick Setup Wizard
and viewing configuration pages 29
described 24
running 24
R
read-only administrative account 144
rebooting 4344
Remote Access Services, installing 198
RESET button 222
resetting to factory default 42
Restrict Access by Hardware Address check box 98
routes
configuring static 78
viewing 33
Routes page 78
S
seat licenses
described 133, 137
upgrade 56
seat limitation 20
serial number, viewing 32
services
creating custom 107109, ??111, 113115
creating custom incoming 107, 108, 113
described 6, 103
viewing current 35
Session idle time-out field 144
Session maximum time-out field 144
User Guide
247
sessions
closing 135
described 133
idle timeout 144
maximum timeout 144
releasing 20
viewing current active 134
viewing currently active 134
Settings page 138
shared secret 180
signal attenuation 225
signal strength 225
SOCKS
configuring 122
configuring for Edge 121
described 121
disabling 122
software updates 52
SSID (Service Set Identifier) 92
static IP addresses
and VPNs 187
described 14
obtaining 188
static routes
making 78
removing 79
subnet mask 14
SurfControl 155
Syslog host, logging to 128
Syslog Logging page 128
Syslog, described 128
system configuration pages. See configuration pages
System Security page 45
System Status page
described 32
green triangle on 32
information show on 32
navigation bar 31
system time
setting 129
System Time page 130
248
T
TCP (Transmission Control Protocol) 3
TCP/IP properties 14
TCP/IP settings, determining 1417
TCP/IP, described 3
time zone, setting 129
traffic, logging all outbound 123
Trusted Hosts page 153, 174
trusted network
assigning static IP addresses on 71
changing IP address of 67
configuring 66??
configuring additional computers on 71
described 8
Trusted Network Configuration page 68, 69, 71, 134
U
UDP (User Datagram Protocol) 3
Uniform Resource Locator (URL) 6
updating software 40
upgrade options, activating 54
upgrade options, viewing status of 32
Upgrade page 55
user accounts
changing name, password 146
configuring MUVPN settings 140
configuring MUVPN settings for all 193
creating new 142
deleting 137
editing 136
enabling MUVPN access for 194
read-only administrative 144
setting WebBlocker profile for 145, 152
viewing 136
viewing current 34
user authentication
changing options for 138
described 137
process 141
users. See Firebox users
User Guide
249
V
virtual adapter, settings for 140, 193
VPN Keep Alive page 187
VPN Manager
described 46
setting up access to 46??
VPN Manager Access page 46
VPN page
described 38
subpages of 39
VPN Statistics page 187
VPNs
and static IP addresses 187
described 175
Keep Alive feature 186
special considerations for 176
troubleshooting connections 188
viewing statistics 187
what you need to create 176
W
wall mounting plate 223
WAN Failover
and DNS settings 88
configuring 83
described 56, 83
using broadband connection for 85
using external modem for 87
WAN Failover page 85
WAN Failover Setup Wizard 84
WAN ports 223
WAN1 port 83
WAN2 port 83
WatchGuard Security Event Processor 126
WatchGuard Security Event Processor Logging page 127
Web sites
blocking specific 172
blocking using WebBlocker ??153, ??174
bypassing WebBlocker 171
WebBlocker
allowing sites to bypass 171
250
categories 161??
creating profiles 159160
database 155
defining profile 145, 152
WebBlocker page
described 38
subpages of 38??
WebBlocker Settings page 157, 159
Wide Area Network (WAN), described 2
Windows 2000
preparing for MUVPN clients 200
Windows 98/ME
preparing for MUVPN clients 198
Windows NT
preparing for MUVPN clients 198
Windows XP
installing File and Printer Sharing for Microsoft Networks on 203
installing Internet Protocol (TCP/IP) Network Component on 202
preparing for MUVPN clients 202
WINS and DNS settings, configuring 199, 201
wireless card, configuring 101
wireless communication
antenna directional gain 225
channel bandwidth 226
described 224
noise level 224
path-loss 225
signal attenuation 225
signal strength 225
Wireless Encryption Privacy (WEP) 94
Wireless Network Configuration page 91
Wireless Network Connection dialog box 102
Wireless Network Wizard 90
wireless networks
using MUVPN on 213
wireless setup 89??
wizards
NetworkSetup 59
Quick Setup 24
WAN Failover Setup 84
Wireless Network 90
Wizards page 39
WSEP 126
User Guide
251
Z
ZoneAlarm
allowing traffic through 211
described 191, 211
icon for 209
shutting down 212
uninstalling 212
252